General Data Protection Regulation (GDPR)

Regulation by the European Union (EU), on how businesses and entities in the EU and across the world access, process and store data about individuals in the context of selling goods or services to EU citizens. This includes their:

Emails

ID Cards

Passports

Driver’s Licences

Credit Cards

Bank Details

Medical Records

Social Media Posts

Computer IP Addresses

This regulation is applicable globally (as such, regardless of if business is inside or outside of the EU). This will therefore have a major effect on entities in CARICOM/CARIFORUM.

Sectors That Can Be Affected Majorly (but are not limited to)

Hotel/Hospitality

Car Rental Companies

Off-shore Companies

Medical Facilities

E-commerce businesses/platforms

App Developers

Cloud Services

Insurance Companies

Compliance Deadline

May 25, 2018

Penalties/Breach For Non-Compliance

2 Tiers

Tier 1 Penalty

Highly Important Information – up to 4% of previous year’s global annual turnover or €20 million or whichever is greater.

Tier 2 Penalty

Any Other Breach – up to 2% of previous year’s global annual turnover or € 10 million or whichever is greater

Issues To Be Addressed (Overview)

Permission

Does the entity ask customers for permission before use?

Do they state what its intended use?

If found to be misusing data, highest tier of breach will be triggered.

MUST receive explicit consent

For E-Commerce transactions, no pre-ticked boxes

Individual must always choose to tick the box.

If entities want to use personal information for multiple purposes, expressed/explicit consent MUST be given, and for each purpose separately.

Entities MUST record 1) how consent was given, 2) From Whom, 3) When, 4) How & 5) What interested parties were told.

There must be no use of confusing language or legalese. It must be easy for individuals to understand what they’re giving permission for, and equally just as easy to withdraw at a later date.

‘Consent Request’ MUST NOT be bundled with standard terms and conditions

If your entity works with third parties, prior consent must be given by the individual for their data to be shared with the third party.

What Constitutes A Data Breach

Personal Data Breach

Not only a loss of data, but a breach of security ending in:

Destruction

Loss

Alteration

Unauthorised disclosure of or;

Unauthorised access to personal data

When Must The Relevant Authority Be Notified

This must be done without undue delay and within 72 hours of learning of personal data breach.

The entity MUST state:

It’s nature

Approximate number of people affected

Contact Information of company’s/organization’s Data Protection Officer (DPO) (If one has been appointed).